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ABSTRACT 

This  paper  presents  a  distributed  algorithm  to 
detect  deadlocks  in  distributed  data  bases. 
Features  of  this  paper  are  (1)  a  formal  model  of 
the  problem  is  presented,  (2)  the  correctness  of 
the  algorithm  is  proved,  i.e.  we  snow  that  all 
true  deadlocks  will  be  detected  and  deadlocks  will 
not  be  reported  falsely,  (3)  no  assumptions  are 
made  other  than  that  messages  are  deceived 
correctly  and  in  order  and  (a)  the  algorithm  is 
simple. 

1.  INTRODUCTION 

A  great  deal  of  effort  has  gone  into  developing 
a  distributed  algorithm  for  detecting  resource 
deadlocks  in  distributed  data  bases  (DDBs) 
[3,9,7].  In  a  September  1980  paper  Gligor  and 
Shattuck  (it]  state  "Renewed  interest  in 
distributed  systems  has  resulted  in  the 
publication  of  at  least  ten  protocols  for  deadlock 
detection.  However,  few  of  these  protocols  are 
correct  and  fewer  appear  to  be  practical."  In 
this  paper  we  present  a  solution  to  this  much- 
studied  problem. 

The  following  paragraph  briefly  reviews  the 
literature  on  distributed  deadlock  detection.  A 
model  of  deadock  and  an  algorithm  for  deadlock 
detection  suitable  for  message  passing  systems 
appears  in  (1j.  The  message  model  of  deadock 
assumes  that  a  process  which  is  waiting  to 
communicate  with  other  processes,  cannot  proceed 
with  its  execution  until  It  communicates  with  any 
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one  of  the  processes  It  is  waiting  for.  The  DDB 
model  considered  in  '.his  paper  and  in  15,9,6,7] 
assumes  that  a  process  can  proceed  only  wnen  It 
receives  a_l_l  resources  that  it  is  waiting  lor. 
The  any/all  ill f foron-e  In  these  models  results  in 
completely  different  algorithms  for  deadlock 
detection.  Deadlock  detection  for  a  class  of 
communicating  finite  state  machines  is  consi  ered 
in  £53.  In  this  paper  we  are  concerned  with 
dynamic  detection  of  deadlocks  rather  than  with 
proving  that  specific  communicating  sequential 
machines  do  not  deadlock,  which  is  the  problem 
considered  In  { 5  J .  We  consider  the  genera)  class 
of  problems  appearing  in  [3,9,7).  In  particular, 
the  DDB  model  we  use  Is  derived  from  Henasce  and 
Muntz,  one  of  the  first  papvs  In  this  area.  For 
a  complete  review  of  the  literaure  see  [9,6,8). 

The  organization  of  thi3  paper  is  as  follows. 
Section  2  presents  a  si..iple  formal  model  of  a 
distributed  system;  this  model  is  called  the  basic 
model.  Section  3  describes  an  algorithm  to  detect 
deadlock  in  the  basic  node)  and  presents  its 
proof.  Performance  issues  are  found  in  section  9. 
A  distributed  algorithm  by  which  a  deadlocked 
process  can  determine  the  identity  of  otner 
processes  in  the  deadocked  ret  is  presented  in 
section  5.  In  section  6  we  review  the  distributed 
data  base  model  presented  by  Menase.e  and  Muntz 
[3],  who  were  about  the  first  to  treat  the 
problem.  We  then  show  how  the  basic  model 
algorithm  can  be  extended  to  solve  the  DDB 
problem. 


2.  THE  BASIC  MODEL 


2.1.  Goal  of  This  Section 

One  of  the  difficulties  with  work  in  the  area 
of  DDBs  is  in  describing  the  model  of  a  DDB 
clearly  and  unambiguously.  Since  informal, 
operational  models  often  result  in  ambiguity  we 
have  chosen  to  describe  our  model  by  axioms.  Ojr 
proofs  of  correctness  use  these  axioms;  they  do 
not  rely  on  1  tap  licit,  assumptions  about  DDBs.  The 
basic  model  which  is  described  in  this  section  is 
a  simple,  abstract  model;  its  relevance  to  DDBs 
may  not  be  clear  irotodi  jtcly,  but  is  ill  .mussed  In 
detail  in  section  6.  In  the  basic  model,  the 
state  of  computation  i3  represented  by  a  graph 


called  a  walt-for  graph  [  1 1  in  uhlch  the  vert  lees 
represent  processes  which  nay  send  and  receive 
messages.  We  use  a  walt-for  graph  model  hcu.iuse 
much  of  the  earlier  work  Is  based  on  wjit-for 
graphs.  The  graph  also  nelps  to  distinguish  t lie 
underlying  DDR  computation  from  the  computation 
associated  with  Jead lock  detection. 

The  basic  model  is  described  by  two  sets  of 
axioms:  graph  axioms  and  process  axioms.  Graph 
axioms  specify  how  the  walt-for  graph  may  change 
over  time.  Graph  axioms  are  concerned  exclusively 
with  the  underlying  L'llB  computation  and  not  with 
the  computation  associated  with  dead' ook 
detection.  Process  arons  are  concerned  with  the 
relationship  between  the  deadlock  detection 
computation  and  the  underlying  ODD  computation. 
The  goal  of  this  section  is  to  present  and 
motivate  the  graph  and  process  axioms.  The  model 
Is  described  and  the  graph  axioms  are  motivated  in 
section  2.2,  the  graph  axioms  arc  presented  In  2.3 
and  the  problem  of  distributed  deadlock  detection 
In  the  basic  model  is  described  in  2.  A.  The 
problem  description  relies  on  the  graph  axioms 
alone.  The  process  axioms  (section  2.5)  are  the 
rules  which  must  be  obeyed  by  any  deadlock 
detection  algorithm.  An  explanation  for  the 
process  axioms  is  presented  in  section  2.6. 


addition  and  d»*l'*M..:i  of  v-*ill'-‘"i  in  i  ia  wall-fat* 
graph.  lt|  com  so,  ijfii„.rn  u.d  tri  r.ire.i  *  i  piofcssri 
cannot  carry  Mil  .ictlmi*.  lor  other  processes  or 
request  art  Ions  I rom  other  processes. 

We  now  describe  the  h-hivlor  of  a  network  of 

processes  In  terms  of  e. .loured  gr. .  pi.  s.  We  use 

process  pj  and  vertex  Vj,  interchange..!.  1  y . 

2.3.  Graph  Axioms  C 1  -  GA 

Cl:  (Creation ) :  A  grey  edge  (Vj,v.) 

nay  be  created  if  edge  (Vj.Vj) 

does  not  exist. 

02:  (Blackening):  A  grey  edge  will 

turn  black  after  an  arbitrary, 

finite  time. 

G3:  (Whitening):  A  black  rl.-e  (vj.Vi) 

may  turn  white  only  If  v,  has  no 
outgoing  edges.  (Only  active 

processes  may  reply). 

04:  (Deletion):  A  white  edg.e  will 

disappear  after  an  arbitrary, 
finite  time. 


2.2.  Model  Description 

A  distributed  system  consists  of  a' finite  set 
of  processes.  A  process  is  in  one  of  two  states: 
active  or  blocked.  A  process  p(  is  blocked  if  it 
is  waiting  for  one  or  more  processes  to  carry  ou  . 
some  action  (such  as  releasing  resources  needec  by 
Pj).  An  active  process  is  not  waiting  for  any 
other  process.  When  pj  needs  pj  to  carry  out  some 
-jtion  it  sends  a  request  to  Pj*.  when  p.  carries 
out  the  requested  t'tion  it  sends  a  reply  to  pt. 
Only  active  processes  may  carry  out  actions  for 
other  processes,  hence  only  active  processes  can 
send  replies.  The  state  of  execution  of  all 
processes  in  a  system  is  captured  by  a  directed 
graph  G  called  the  wait-for  graph.  There  is  a 
one-to-one  correspondence  between  vertices  in  G 
and  processes  in  the  system,  with  vertex  Vj 
corresponding  to  process  pj<  Edge  (vj.Vj)  exists 
In  G  if  and  only  if  pj  has  sent  a  request  to  pj 
and  has  not  yet  received  a  reply. 


Edge  Colours:  The  edge3  in  G  are  coloured 

grey,  black  or  white.  Edge  (Vj.Vj)  is: 


grey: 


black: 


white: 


If  pj  has  sent  a  request  to  p, 
which  Pj  has  not  received  (yet). 

If  pj  has  received  a  request  from 
Pj  and  has  not  sent  the 
corresponding  reply  to  pj. 

if  p,  has  sent  a  reply  to  Pj  which 
Pj  has  not  received  (yet). 


We  assume,  for  convenience,  that  there  are 
vertices  In  the  wait-for  graph  corresponding  to 
terminated  processes  ar.d  to  processes  that  have 
yet  to  be  created.  This  allows  us  to  ignore  the 


We  next  define  the  deadlock  detection  problem 
for  the  basic  model  and  present  the  process  axioms 
which  must  be  followed  by  a  deadlock  detection 
algorithm. 


2. *i .  The  Deadlock  Detection  Problem  in  the  Basic 
Model 


A  dark  cycle,  l.e.  a  cycle  in  which  all  edges 
are  grey  or  black  (some  may  be  grey  and  others 
black),  will  persist  forever  because,  it  follows 
from  the  graph  axioms  that  cdge3  in  a  dark  cycle 
cannot  be  whitened  or  deleted. 

Problem  PR0D1:  Construct  a  distributed 
algorithm  by  which  a  vertex  vj  can  detect  if  it  is 
part  of  a  dark  cycle. 

The  algorithm  by  which  Vj  determines  if  it  is 
part  of  a  dark  cycle  is  called  a  probe 
computation.  In  probe  computations  vertices  send 
messages,  called  probes,  to  one  another;  probes 
are  concerned  with  deadlock  detection  exclusively 
and  are  distinct  from  requests  and  replies.  We 
now  present  axioms  which  describe  how  processes 
communicate;  these  axioms  show  the  relationship 
between  requests,  replies  and  probes.  We  assume 
that  messages  (i.e.  requests,  replies  and  probes) 
are  received  in  finite  time  in  the  order  sent. 


2.5.  Process  Axioms  PI  -  pi| 

An  explanation  of  these  axioms  is  given  in 
section  2.6. 


r.  i  - :  -  *  . 
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3.  AN  ALGOHITIIM  Kill  TIIK  UAblC  MODEL 


PI:  If  a  probe  la  sent  by  Vj  to  vj 

when  edge  (vj.Vj)  Is  Urey,  edge 
(»j,Vj)  will  turn  black  sometime 
afterJ  this  probe  Is  sent  and 
before  It  Is  received.  If  a  probe 
from  Vj  Is  received  by  v.  when 
edge  (vj.vj)  Is  block  then  edge 
Cvj,v<)  existed  .uid  was  dark  (grey 
or  black)  at  all  times  from  the 
Instant  at  which  the  probe  was 
sent,  to  the  Instant  the  probe  was 
received. 

P2:  If  a  probe  Is  sent  by  v.  to  v, 

when  (Vj.Vj)  Is  white  thenJ(v1 ,v ,) 
will  disappear  sometime  after  this 
probe  Is  sent  and  before  It  is 
received. 

P3:  A  vertex  Vj  can  determine 

(locally)  if  there  is  an  outgoing 
edge  (Vj.Vj)  to  any  v,.  though  it 
cannot  determine  Its  colour 
(locally).  A  vertex  Vi  can 
determine  (locally)  if  there  is  an 
incoming  black  edge  (v,,v,),  from 
any  Vj. 

PA:  Every  probe  will  be  received  In 

some  arbitrary  finite  time  after 
it  is  sent. 


2.6.  explanation  of  the  Process  Axioms 

PI :  A  probe  sent  by  Vj  to  vj  when  (lfj.Vj)  is 
grey  must  have  been  sent  after  v,  sent  Vj  the 
request  which  caused  grey  ed,.e  (vj.Vj)  to  be 
created.  Since  messages  arc  received  inJthe  order 
sent,  the  request  must  be  received  by  Vj  (causing 
edge  (vj.Vj)  to  turn  black)  before  the  probe  is 
received,  ihe  explanation  for  the  second  part  of 
Pt  Is  similar. 

P2:  A  probe  sent  by  Vj  to  v,  when  edge  (Vj,v.) 
is  white  must  have  been  sent  after  Vj  sent  v^  the 

reply  which  caused  edge  (vj.vj)  to  change  colour 
from  black  to  white.  Since  messages  are  received 
in  the  order  sent,  the  reply  must  be  received  by 
Vj  (causing  edge  (vltvj)  to  disappear)  before  v^ 
receives  the  probe. 

P3:  An  edge  < v ^ . v  . >  can  be  created  and  deleted 
by  Vj,  and  v^  alone;  hence  v,  can  determine  if  it 
exists.  An  edge  (Vj.Vj)  is  black  only  if  v,  has 
received  a  request  from  v^  and  It  has  not  yet  sent 
a  corresponding  reply.  Hence  v,  is  aware  of  black 
edge  (vj.Vj).  J 

PA:  Basic  rule  of  message  communication. 

This  completes  the  description  of  the  basic 
model.  From  now  on,  we  will  use  only  the  axioms  Gt 
-  GA  and  PI  -  PA  to  reason  about  the  computation. 
Therefore,  we  do  not  use  the  terms  "request," 
"reply,"  "resource,"  etc.  hereafter. 


3.1.  Goal  of  This  Section 

The  goal  of  this  section  Is  to  present  a 
solution  to  the  problem,  I’HOHl,  presented  in 
section  2. A:  construct  a  distributed  algorithm 
(i.e.  a  probe  computation,)  by  which  a  vertex  can 
detect  If  It  is  part  of  a  dark  cycle.  In  this 
section  we  do  not  discuss  the  question  of  ulien  a 
vertex  should  Initiate  such  a  computation,  this 
question  Is  considered  In  section  A.  gee i ion  3.? 
introduces  probe  computations.  Section  3.3 
presents  the  desired  properties  of  probe 
computations  while  section  3. A  presents  the  probe 
computation  algorithm  Itself.  Coriectness  proofs 
are  found  In  section  3.0. 


3.2.  Introduction  to  Probe  Computations 

To  determine  whether  It  Is  on  a  dark  cycle,  a 
vertex  Vj  Initiates  a  computation  called  a  probe 
computation.  Several  vertices  may  initiate  probe 
computations  and  the  sane  vertex  may  initiate 
several  probe  computations.  To  distinguish  each 
probe  computation,  the  messages  and  variables  used 
in  the  n-th  computation  initiated  by  vertex  i  are 
tagged  (i,n).  In  the  next  paragrapli  we  shall 
discuss  one  probe  computation,  say  the  (i.n)th. 
In  the  interests  of  brevity  we  shall  not  tag 
messages  and  variables  in  the  following  discussion 
with  (i,n);  the  tag  should  be  understood 
implicitly. 

A  vertex  v,  will  send  at  mo3t  one  probe  to  any 
vk  in  one  pro Be  computation.  The  probe  is  said  Kc 
be  meaningful  if  and  on’y  if  edge  (v.,vk>  exists 
and  is  black  at  the  time  that  vk  receives  the 
probe.  From  P3,  vk  can  determine  if  a  probe  i3 
meaningful. 


3.3.  Properties  of  a  Probe  Computation:  QRP1, 

QBP2  *  “ 

A  probe  computation  is  designed  to  have  the 
following  two  properties  (proofs  are  in  section 

3.5): 

QRP1 i  If  the  initiator  of  a  probe 

computation  is  on  a  dark  cycle 

when  it  initiates  the  probe 

computation  then  the  initiator 
will  eventually  receive  a 
meaningful  probe. 

QRP2:  If  the  initiator  of  a  probe 

computation  receives  a  meaningful 
probe  then  it  is  on  a  black  cycle 
at  the  time  at  which  it  receives 

the  probe. 


3. A.  Algol  1  ttim  for  a  Probe  Comput.it  i on 

Algorithm  for  the  luitl .iton 

AO:  Send  probes  along  all  outgoing 

edges. 

At:  Upon  receiving  the  first 

meaningful  probe  declare  that  "V[ 
Is  on  a  black  cycle." 

Algor lthn  f or  a  vertex  Vj  other  than  the 
Initiator 


Upon  receiving  the  first 
meaningful  probe  send  probes  on 
ail  outgoing  cdge3. 


Cj  ,eK,  K<n,  are  all  black  at  t(K>;  we  will 

prove .that  e j ,ep, . . .e^^ 1  are  all  black  at  t ( K  *  1 ) . 
We  first  prove  that  e^,]  exists  tri  the  interval 
1 1  ( K  > .  1 1 K  -*  1 ) }  and  that  It  Is  black  at  t(K»1). 

From  step  A?  of  the  algorithm,  <y  existed  at  time 
t(K).  from  the  definition  ol  meaningful  probe, 
eyt1  exists  and  la  black  at  a  later  tie.-  t(K.*1). 
From  PI,  ejj^j  existed  from  the  Instant  t'  that 
VJ(K)  •‘,<‘,)t  tiie  probe  to  time  t(K»l)  at  which 
VJ(K+1)  received  the  probe.  Note 

tiK)  ^  t1  <  t ( K ♦ 1 ) •  From  the  algorithm  (see  note 
below  algorithm)  this  edge  existed  at  all  times 
from  t(K)  to  t'.  Hence  e^j  exists  at.  all  times 
from  t(K)  to  t(K*l).  We  now  prove  that  edges 
*0...*‘K  c*isted  and  were  black  In  this  interval. 
This  follows  from  the  observation  that  if  ok 
exists  in  the  interval  [  t(K ) , t ( K+ 1 ) J ,  then  e^.., 
exists  and  remains  black  In  this  Interval  (from 
Induction  hypothesis  and  G3),  for  k  =  1,..,K. 
This  proves  the  assertion. 


Note:  Each  step  A0.A1.A2  of  the  algorithm, 
once  started  must  be  completed  before  the  process 
can  send  or  receive  other  messages.  Therefore  the 
set  of  outgoing  edges  from  process  v,  in  step  AO 
(and  process  v.  in  step  A2)  do  not  change  during 
the  step. 


We  have  shown  that  a  probe  computation 
satisfies  the  desired  properties  presented  In 
section  3-3.  Tn  the  next  section  wc  discuss 
issues  related  to  performance. 


A.  PERFORMANCE  ISSUES 


3.5.  Proof  of  Correctness  of  a  Probe  Computation 


Theorem  1  (Property  QRP1 ) 


If  the  Initiator  Is  on  a  dark  cycle  when  it 
initiates  the  probe  computation  then  It  will 
eventually  get  a  meaningful  probe. 

Proof:  l.et  the  initiator  vi,  be  on  a  dark  (and 
therefore  permanent)  cycle  C.  v^  will  send  t  probe 
to  Its  successor  vertex  v,  in  C  (l.e.  edge  (vj.v,) 
is  in  C),  and  from  PI  this  probe  is  meaningful; 
similarly  Vj  will  sc;.d  a  meaningful  probe  to  Its 
successor  in  C,  and  so  on,  and  thus  every  vertex 
on  C  (including  the  initiator)  will  eventually 
receive  a  meaningful  probe. 

Theorem  2  (Property  QRP2) 


If  the  initiator  receives  a  meaningful  probe 
then  it  is  on  a  black  cycle  when  this  probe  is 
received. 

Proof:  The  initiator  is  the  only  vertex  which 

can  send  a  probe  without  having  received  a 
meaningful  probe  (follows  from  step  A2  of  the 
algorithm).  Hence  if  the  initiator  v,  receives  a 
meaningful  probe,  there  exists  a  finite  sequence 

^1(0) - v1(n)  Hh«re  <’>  v1(0>  *  v j(n)  s  vl 

(2)  vj(k)  received  a  meaningful  probe  from  .. 

at  time  tk.  and  t(k-l)  <  t(k),  k  =  1,..n-1.  Let 
ek  denote  the  edge  <vj<k-i ) «v j(k) * •  He  wl11  Prove 
tne  following  assertion  for  all  k,  1<k<n  by 
Induction  on  k:  at  time  t(k)  the”  edges 

*1'®2'",,fk  3re  black.  The  theorem  then 

follows  by  setting  km  In  this  assertion.  For 
k=l,  the  assertion  follows  from  the  definition  of 
meaningful  probe.  Now  inductively  assume  that 


A . 1 .  Goal  Of  Th js  Section 

In  section  3  we  presented  an  algorithm 
computation)  ay  which  a  vertex  can  determine 
is  on  a  dark  cycle.  In  this  -action  we  will 
by  discussing  the  question  of  when  a  vertex 
initiate  a  probe  computation  (A. 2).  The  vol 
message  traffic  associated  with  probe  comput 
and  methods  for  reducing  the  number  of 
computations  are  discussed  in  section  A.  3. 
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A.  2.  When  Should  a  Vertex  Initiate  a  Probe 
Computation? 

It  is  sufficient  for  any_nne  vertex  on  a  dark 
cycle  to  detect  that  it  Is  deadlocked  provided 
this  vertex  later  informs  all  other  vertices  on 
the  dark  cycle  that  they  arc  deadlocked  too.  An 
algorithm  by  which  a  deadlocked  vertex  informs 
other  vertices  that  they  too  are  deadlocked  13 
presented  in  section  5.  Therefore,  in  this 
section  we  need  only  be  concerned  with  an 
initiation  rule  by  which  at  least  one  vertex  in  a 
dark  cycle  will  detect  deadlock. 

We  employ  the  following  initiation  rule:  A 
vertex  Vj  initiates  a  probe  computation  when  any 
outgoing  edge  (vitv.)  is  added  to  the  wait-for 
graph.  With  this  rule.  If  the  addition  of  edge 
(Vj.Vj)  creates  a  dark  cycle  In  the  walt-for 
graph’,  then  Vj  will  detect  that  It  is  on  a  dark 
cyelo,  and  hence  deadlocked.  Rules  which  yield 
better  performance  are  treated  In  the  next 
section. 


*t.3.  Performance  Aspects  of  tin-  Algorithm 

Recall  that  to  distinguish  probe  computations 
Initiated  by  different  vertices,  and  by  the  same 
vertex  at  different  tines  we  tag  the  n-tti  probe 
computation  initiated  by  Vj  with  (i,n),  i.e.  all 
probes  and  variables  associated  with  that 

computation  are  tagged  (i,n).  If  probe 

computation  <l,n)  is  initiated,  all  probe 

computations  (i,k)  with  k<n  may  be  Ignored. 
Therefore,  every  vertex  need  only  keep  track  of 
one,  (the  latest)  probe  computation  initiated  by 
each  vertex.  Hence  every  process  must  keep  track 
of  N  probe  computations  where  N  is  the  number  of 
vertices  in  the  f-aph.  For  a  given  probe 

computation,  a  vertex  sends  only  one  probe  on  any 
outgoing  edge.  Hence,  there  can  be  at  most  N2 
probes  in  a  single  probe  computation. 

The  number  of  probe  computations  initiated  can 
be  reduced  by  having  a  vertex  initiate  a  probe 
computation  only  if  an  outgoing  edge  (v^Vj)  has 
been  in  existence  continuously  for  some  time  T, 
where  T  is  a  performance  parameter.  If  ed*e 
(vj.v.)  is  deleted  before  T  time  units  have 
elapsed  then  v,  has  avoided  Initiating  a  probe 
computation.  Issues  related  to  determining  the 
optimum  value  of  T  are  found  in  [6],  Tiie  basic 
tradeoff  is  that  if  T  is  too  small  too  many  probe 
computations  are  Initiated  and  if  T  is  too  large 
the  tine  taken  to  detect  deadlock  (which  is  at 
least  T)  is  too  large. 


5.  PROPAGATING  WAIT-FOR  GRAPH  INFORMATION  TO 
DEADLOCKED  VERTICES 


1 . 1 .  Goal  of  This  Section 

A  distributed  algorithm  by  which  a  vertex  can 
determine  all  permanent  black  paths  leading  from 
it  la  '  ited  in  this  section;  the  permanent 
black  pains  form  the  deadlocked  portion  of  the 
valt-for  graph,  and  determining  the  edges  and 
vertices  in  the  deadlocked  portion  of  the  graph  is 
useful  in  breaking  deadlocks.  The  question  of  how 
deadlocks  should  be  broken  13  not  treated  here; 
the  reader  is  encouraged  to  read  C 3 , 6 D - 


5.2.  Computation  to  Determine  the  Walt-For  Graph 
(WFGD  Computation) 

Messages  in  a  WFGD  computation  consist  of  sets 
of  edges,  A  message  M  sent  to  a  vertex  v.  is  a 
set  containing  only  edges  on  permanent  black  paths 
(i.e.  paths  all  of  whose  edges  are  black  and  are 
guaranteed  to  remain  black)  from  Vj.  Each  vertex 
*i  has  a  local  variable  S.,  whichJ  Is  the  set  of 
edges  (that  v.  Is  aware  of)  on  permanent  black 
paths  leading  riom  v..  Initially  S.  is  empty,  for 
all  J.  After  the  initiator  Vj  of  a  probe 
computation  receives  a  meaningful  probe,  It 
declares  that  it  is  on  a  black  cycle  and 
thereafter  sends  a  message  M  s  <(v,,vj))  to  every 
vertex  Vj  1/  edge  (Vj.Vj)  is  black.  Since  Vj  is 
on  a  black  cycle  Cv.,vj)  must  be  permanently 
black.  On  receiving  a  message  M,  vj  sots 


3i  i  St  M  and  t.lieraai  ter  sends  M'  where 
H*  =  (rvk,v ,))  Sj  to  every  vertex  where 

(v^.vj)  is  oi  nk,  if  it  lias  not  already  sent  the 
same  message.  It'  to  vk.  Since  M  only  contains 
cdr.es  on  permanent ,  black  paths  lending  from  v., 
M'  only  contains  edges  on  permanent  black  paths 
leading  from  vk.  It  is  evident  that  every  vertex 
will  determine  all  permanent  black  paths  leading 
from  it  in  finite  time.  A  WFGD  computation  will 
cease  because  a  vertex  never  sends  the  same 
message  (set  of  edges)  twice  to  another  vertex. 


6.  THE  DISTRIBUTED  DATA  BASE  PROBLEM 
6.1.  Goal  o f  This  Section 

We  have  presented  and  proved  an  algorithm  for 
the  basic  model.  We  now  show  how  the  lgorithm  for 
the  basic  model  can  be  extended  to  handle  the 
distributed  data  base  model  considered  in  13. A). 
Wc  first  review  the  lienasce-Muntz  DUB  model 
(section  6.2)  and  point  out  the  differences 
between  the  DI'H  model  and  the  basic  in., del  in 
section  6.3.  An  abstraction  of  the  BOB  model, 
based  on  coloured  graphs  is  found  in  section  6.  A. 
Probe  computations  for  the  DDB  model  are 
introduced  in  section  6.5.  The  algorithm  to  solve 
the  DDB  deadlock  problem  is  presented  in  section 
6.6,  and  a  performance  issue  specific  to  DDBs  is 
discussed  in  section  6.7. 


6.2.  An  Introduction  to  the  DDB  Deadlock  Problem 

A  DDB  is  implemented  by  N  computers  U1,..,SN. 
There  is  a  local  operating  system  or  controller  C. 
at  each  computer  S,  to  schedule  processes,  manage 
resources  and  carry  out  communications,  lucre  are 
N  transactions  T 1 , . . , TH  running  on  the  DDB.  A 
transaction  is  Implemented  by  a  collection  of 
processes  with  at  most  one  process  per  computer. 
Each  process  is  labeled  with  a  tuple  (Tj.G.)  where 
Tj  is  the  identity  of  the  transaction  that  the 
process  belongs  to  and  Sj  is  the  computer  on  which 
the  process  runs.  The  tuple  (Tj.Gj)  uniquely 
identifies  a  process. 

A  controller  Cj  sends  a  message  to  a  process 
<Tj,Sj)  by  putting  the  message  in  the  process's 
memory  area  and  scheduling  the  process.  A  process 
(Tj.Sj)  sends  a  message  to  its  controller  Cj  by 
putting  the  message  In  the  controller's  memory 
area  and  then  returning  control  to  the  controller. 
A  process  (Tj,S,)  communicates  directly  only  with 
its  own  controller  Cj.  Controllers  may  send 
messages  to  one  another.  Messages  sent  by  any 
controller  C,  to  any  controller  Cm  will  be 
received  by  Cm  in  finite  time  and  in  the  order 
sent  by  Cj. 

At  some  stage  in  a  transaction's  computation  it 
may  need  to  "lock"  resources  (such  as  files). 
There  ore  different  kinds  of  locks  (read  locks  and 
write  locks  for  instance)  but  the  details 
regarding  locks  and  locking  protocols  arc  not 
relevant  to  the  problem  described  here;  the  reader 
is  referred  to  [3.6],  When  a  process  (Tj.S.) 
needs  a  resource  it  sends  a  request  to  lls 


control  lor  Cj.  If  Cj  manages  the  resource  It  may 
accede  to  the  process's  request  immediately  or  the 
process  nay  have  to  wait  to  acquire  the  requested 
resource.  If  the  requested  resource  Is  n.ui.,,  •  •!  by 
some  other  controller  Cn,  then  Cj  transmits  the 
request  on  to  process  (TjtbRt  via  controller  Cn; 
the  request  is  now  made  locally  by  process  (Tj,Sr,) 
to  Its  own  controller  C)n.  Wien  (T,. acquires 
the  requested  resource  from  C,,,  it  sends  a  message 
to  (T^.Sj)  (via  CR  and  Cj)  stating  that  the 
requested  resource  lias  been  acquired.  (Tj.Sj)  may 
now  proceej  with  its  computation.  When  processes 
In  a  transaction  Tj  no  longer  need  a  resource 
managed  by  controller  Cm,  they  communicate  with 
process  (Tj,Sm)  who  Is  responsible  for  releasing 
the  resource  to  Cn. 

A  process  cannot  proceed  with  its  computation 
unless  it  acquires  every  resource  that  it 
requests.  Thus  a  process  is  blocked  permanently 
from  proceeding  with  computation  if  it  never 
acquires  a  requested  resource.  We  assume  that  if 
a  single  transaction  runs  Itself  in  the  DDB  it 
will  ter.-iinate  in  finite  time  and  eventually 
release  all  resources.  When  two  or  more 
transactions  run  In  parallel,  deadock  may  arise 
because  each  transaction  may  be  blocked  needing 
resources  held  by  other  transactions.  The  problem 
is  to  construct  an  algorithm  to  detect  deadlock. 


6.3.  Difference  Between  the  DDB  and  Basic  Model 

In  the  basic  model,  one  process  directly 
requests  another  to  carry  out  some  action.  In  tin! 
DDB  model,  a  process  may  not  be  aware  of  other 
processes;  furthermore,  a  process.  only 
communicates  directly  with  its  controller.  Hence, 
the  primary  difference  between  the  basic  model  and 
the  DDB  model  is  that  in  the  bat.c  model  a  process 
determines  locally  which  processes  to  (request 
actions  from  and)  wait  for,  whereas  in  the  DDB 
model  the  controlle-  at  eacli  computer  determines 
the  process  waiting  behavior  at  that  cumputer. 


6. A.  A  Graph  Model  of  DDB  Deadlock 

As  In  the  basic  model  there  is  a  one-to-one 
correspondence  between  processes  in  the  system  and 
vertices  in  the  wait-for  graph  C.  There  is  an  edge 
In  G  from  a  process  (T^.S.)  to  another  process 
(Tjj.Sj)  at  the  same  computer  S<,  if  controller  C, 
has  a  request  from  (Tj.Sj)  for  resources  held  by 
(Tk,Sj).  Such  an  edge  in  0  (which  is  incident  on 
vertices  corresponding  to  processes  at  a  single 
controller)  is  called  an  Intra-controller  edge. 
There  is  an  edge  in  G  from  a  process  (Tj.S.)  to 
another  process  (Tt,Sn)  within  the  J  same 
transaction  Tj  (but  at  a  different  computer)  if 
(Tj.Sj)  Is  waiting  Tor  a  message  that  it  has 
acquired  a  resource  managed  by  Cn;  such  an  edge  is 
called  an  Inter-controller  edge. 

The  colour  of  an  inter-controller  edge  from 
(Tj,S.)  to  (TrSm)  is  grey,  black  or  white,  where 
the  colours  have  the  same  meaning  as  in  the  basic 
model,  l.e.  It  is  grey,  if  (Tj.Sj)  has  requested  a 
resource  managed  by  and  Cr  lias  not  received  the 
request  yet;  It  turns  black  when  Cm  receives  the 


request  and  white  when  C  gives  the  requested 
resource  to  (T|,b  )  (at  witch  point  it  sends  a 
message  to  (T  ,.’1.)  saying  that  the  resource  has 
been  acquired).  since  the  existence  of  an  lntra- 
eonlroller  edge  ( (T, ,Sj ) , (T^.S j) )  depends  only 
■pon  controller  C  s  awareness  that  (Tj,S:> 
requires  a  resource  neld  by  (T^.S,),  and  since  C, 
schedules  (Tj.Sj)  and  (T^.Oj)  we  may  assume  that 
all  intra-controller  edges  are  black.  The  formal 
graph  model  is  described  by  the  following  axioms. 

Graph  Axioms  G1-G6  f  a  DDB 

Axioms _re gar  din  g  intra-control ler  edges 

G1:  A  black  intra-controller  edge 

{ (Tj  ,S j ) ,  (Tj,  ,S j ) )  may  be  added  to 
G  If  none  exists. 

G2:  A  black  intra-controller  edge 

((T, ,S  j ) , (Tu ,S j ) )  may  be  deleted 
if  nasJno  outgoing  edges. 

Axioms _ regarding^  _  i_n t  o  r  -c  o n  tro  1 1  er edges 

Tanalogou3  to  the  basic  model) 

G3:  A  Croy  inter-controller  edge 

< { T,  ,S  ,) ,  (Tj  ,Sm)>  may  be  added  to 
G  If  tne  edge  does  not  exist. 

OH;  A  grey  inter-controll er  edRe  will 

turn  black  in  an  arbitrary,  finite 
time. 

A5;  A  black  Inlcr-conlrol ) er  edge 

((T  ,S,),(Tj ,"m)>  can  turn  white 
if  t T^S.,  has  no  outgoing  edges. 

G6:  A  white  inter-control  lei-  edge  will 

disappear  in  arbitrary,  finite 
time. 

A  dark  cycle  in  G  will  persist  forever.  The 
problem  is  to  construct  a  distributed  algorithm  by 
which  a  controller  C,  can  determine  if  one  of  its 
processes  (Tj,Sj)  Is  on  a  dark  cycle.  The 
algorithm  must  J  satisfy  the  following  process 
axioms  which  are  analogous  to  the  process  axioms 
for  the  basic  model. 

PI ;  If  a  probe  is  sent  by  C ,  to  Cn  when  edge 
((Tj.Sj), (T,,Sro))  is  grey,  then  the  edge  will  turn 
black  some  time  after  the  probe  is  sent  and  before 
it  is  received.  If  a  probe  from  C,  is  received  by 
Cm  when  the  edge  is  black  then  tne  edge  existed 
and  was  dark  from  the  instant  that  the  probe  was 
sent  to  the  Instant  that  the  probe  was  received. 

P2:  If  a  probe  Is  sent  by  Cn  to  C,  when  edge 

((Tj  ,  S  j ) ,  (Tj  ,Sm))  is  white,  then  the  edge  will 

disappear  some  time  after  this  probe  is  sent  and 
before  it  is  received. 


£2:  *  controller  C,  can  determine  locally  If 
there  Is  an  outgoing1  edge  from  any  of  Its 
processes  (Tj,S.)  to  any  other  process;  however, 
It  cannot  determine  locally  the  colour  of  lnter- 
controllcr  edges  outgoing  from  (Tj.S,).  A 
controller  Cm  can  determine  locally  If  there  Is  an 
Incoming  black  edge  to  any  of  Its  processes 

<w- 

Ft;  A  probe  sent  along  any  edge  Is  received 
correctly  and  within  finite  time. 


6.5.  The  Probe  Computation  in  the  flDC  Model 

A  probe  computation  In  a  DOB  model  Is  exactly 
the  same  as  in  the  basic  model  except  that  Instead 
of  processes,  controllers  send  probes  to  one 
another.  Instead  of  having  a  process  (Tj.S,)  send 
a  probe  to  another  process  (T^.S,)  at  the  same 
computer  S,,  controller  C  ^  merely  Jlahels  (Tk,S.) 
as  having  received  a  meaningful  probe.  As  in  the 
basic  model,  the  n-th  probe  computation  Initiated 
by  controller  Cj  is  tagged  (j.n),  l.e.  all  labels 
and  probes  areJ  tagged  (J.n).  If  there  is  an 
outgoing  Inter-controller  edge  ((Tj ,S ,) , CT^ ,Sn) ) 
from  a  labeled  process  (T,  ,S,),  then  C,  sends  a 
piohe  to  Cn.  This  probe  carries  Kith  ft  the  tag 
(j.n)  as  well  as  the  identity  of  the  edge 
UTj,  S.) ,  (T,  ,Sm) ) ;  this  probe  Is  said  to  be  sent 
along  edge  ( (Tj ,S,) , (Tj ,Sm) ) .  This  probe,  from 
controller  C,  to  another  controller  Cn,  Is  said  to 
be  meaningful  if  the  edge  (<T( ,S.) , (Tj ,Sn) )  exists 
and  is  black  at  the  time  at  which  Cm  receives  the 
probe.  He  now  describe  a  single  probe 
computation,  say  the  (j.n)th.  Though  the  tag 
(J,n)  docs  not  appear  explicitly  in  the 
description.  It  should  be  assumed. 


6.6.  Algorithm  for  a  Probe  Computation 

Algorithm  Initiated  by  C,  to  determine  If 

process  (Tt,Sj)  Is  on  a  dark  cycle 

AO:  Label  all  processes  (T^.S.) 

reachable  from  process  (T^Sj) 
along  Intra-controller  edges.  If 
(Tj,Sj)  Is  labelled,  then  declare 
that  It  Is  on  a  black  cycle  of 
Intra-controller  edges. 

Otherwise,  If  there  is  an  Inter- 
controller  edge  from  a  labelled 
process  (Ta,Sj)  to  any  process 
(Ta,Sb)  then  send  a  probe  to  Cb 
along  edge  ((Ta,Sj) , (Ta,Sb>) . 

*1:  Upon  receiving  a  meaningful  probe 

along  any  Inter-controller  edge 
<<Tp.S„).(Tp.Sj)).  label  (T  ,S.) 
and  all  processes  reachable  *rrom 
(T  ,3.)  along  intra-controller 
edges.  If  (Tj.S.)  Is  labelled, 
declare  that  (T,,S|)  la  on  a  black 
cycle.  J 


AJpui'l  thm  _for  a_  Control  ler  Other  Than  the 
lilt  1 1  a  tor 

A2:  Upon  receiving  a  meaningful  probe 

along  an  Inter-control  1 <r  edge 
directed  towards  a  process 
label  (Tt,S  )  and  all  processes 
reachable  from  t  T  ^ .  U(n )  along 

Intra-controller  edRC3.  If  there 
is  an  Inter-controller  edge  from  a 
labelled  process  (Ta,Kn)  to  any 
process  (Tfl,Sb)  then  send  a  probe 
to  Cb  along  edge  ((Ta.Sra>,(T  ,Sb)) 
If  such  a  probe  has  not  already 
been  sent. 

Note:  Each  step  A0.A1.A2  of  the  algorithm, 

once  started,  mu3t  be  completed  before  the 
controller  can  send  or  receive  other  messages. 

Hence  the  intra-eoritroller  edges  and  outgoing 
inter-controller  edges  from  processes  in  S,  cannot 
chai gc  during  steps  AO  and  Al,  The  analogous 

condition  holds  for  Sm  in  stOF  A2. 

The  proof  of  the  algorithm  for  the  DDB  model  Is 
exactly  the  same  as  for  the  ba3lc  model.  The 
performance  issues  discussed  for  the  basic  model 
also  apply  to  the  DDB  model.  However,  there  is 
one  performance  issue  which  arises  in  the  DDB 
model  which  does  not  arise  In  the  basic  model. 
The  algorithm  presented  above  requires  a 
controller  Cj  to  Initiate  a  separate  probe 

computation  for  each  of  its  constituent  processes 

(Tj.S.).  We  now  show  how  the  number  of  probe 
computations  can  be  reduce,,. 


6.7.  How  to  Avoid  Initiating  a  Separate  Probe 
Computation  for  Each  Process 

When  a  controller  C,  wishes  to  determine  If  any 
of  Its  constituent  processes  are  on  dark  cycles  it 
first  determines  if  there  is  a  cycle  along  intra- 
controller  edges  alone.  If  there  is  no  intra- 
controller  cycle,  then  any  cycle  through  any 
constituent  process  (T^.S.)  mu3t  include  an  inter- 
controller  edge  dlrect-d  towards  a  constituent 
process  (T^.Sj).  Hence,  it  is  sufficient  for  a 
controller  to  initiate  separate  probe  computations 
for  processes  with  incoming  (black)  inter- 
controllor  edges.  Hence,  when  a  controller  wishes 
to  determine  if  any  of  its  processes  are 
deadlocked  it  initiates  0  separate  probe 
computations  where  Q  is  the  number  of  constituent 
processes  with  incoming,  black,  inter-controller 
edges. 


7.  SUMMARY 

We  have  preaented  a  solution  to  the  much- 
studied  problem  of  deadlock  detection  in 
distributed  data  base  systems.  A  formal  model 
based  on  coloured  graphs  was  used.  For  purposes 
of  exposition,  the  problem  was  introduced  in  two 
stages:  in  the  first  stage,  a  simple  model, 
called  the  basic  model  was  introduced  and  in  the 
second  stage  the  Mcnasee-Huntz  distributes  data 


base  model  was  discussed.  Our  algorithm  was 
proved  correct.  Details  regarding  the  different 
modes  of  resource  locking  and  other  features  of 
distributed  data  bases  have  not  been  Included 
here.  The  reader  Is  referred  to  13,61. 

A  great  deal  of  work  remains  to  be  done  on 
evaluating  the  performance  of  the  algorithm  and  on 
developing  algorithms  for  different  types  of 
distributed  systems. 


8.  Huh. m,  C..  "Distributed  hat  a  linn-' 
Management  -  Progress,  Problems,  Sine 
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Austin,  Texas  7671?,  Hay  1979. 


8.  ACKNOWLEDGEMENT 


Our  work  In  this  general  area  resulted  from 
reading  a  seminal  paper  by  Dljkstra  and  Scholten 
on  termination  detection  [2]  and  by  later 
discussions  with  them.  Virgil  Gllgor  showed  us 
that  the  DDB  problem,  though  apparently  simple, 
was  non-trivlal  and  interesting,  and  led  us  to  the 
sizable  body  of  work  on  the  subject. 


9.  REFERENCES 

1.  Chandy,  K.  M. ,  J.  Mlsra  and  L.  Haas,  "A 

Distributed  Deadlock  Detection 

Algoritnm  and  Its  Correctness  Proof, " 
submitted  to  the  Communications  of  the 
ACM.  . . 

2.  Dljkstra,  E.  W.  D.  and  C.  S.  Scholten. 
•iTermlnation  Detection  for  Diffusing 
Computations,"  Information  Processing 
Letters.  11,  1,  August  1990,  pp  1-9. 

3.  Henasce,  Daniel  and  Richard  Hunts, 
"Locking  and  Deadlock  Detection  in 
Distributed  Data  Bases."  IEEE 
Transaction s  on  Software  Engineering , 

Vol.  SE-57  No-  3.  May  1979. 

A.  Cligor,  Virgil  and  Susan  H.  Shattuck, 
"On  Deadlock  Detection  in  Distributed 
Systems,"  IEEE  Transactions  on  Software 
Engineering,  Vol.  SE-6,  No.  5, 
September  1980. 

5.  Tu,  Yao-Tin  and  Mohamed  Gouda, 
"Deadlock  Detection  for  a  Class  of 
Communicating  Finite  State  Machines," 
TR-193.  Computer  Sciences  Depatment, 
University  of  Texas,  Austin,  Texas 
78712. 

6.  Gray,  J.  N.,  "Notes  on  Data  Base 
Operating  Systems,"  in  Operat 1 ng 
Systems  and  Advanced  Course,  Berlin, 
Heidelberg:  Springer-Verlag,  1978,  Ch. 
3.F,  pp.  39A-A81. 

7.  Obermarck,  Ron,  "Global  Deadlock 
Detection  Algorithm,"  RJ2895,  IBM 
Research  Laboratory,  San  Jose, 
California  96193.  June  1980. 


